AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improve description of PSA_KEY_USAGE_COPY

Browse Source 
Be more clear about when EXPORT is also required.
This commit is contained in:
Gilles Peskine 2019-05-14 16:25:50 +02:00
parent c160d9ec83
commit d6a8f5f1b5
2 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
include/psa/crypto.h
View File

@ -852,12 +852,13 @@ psa_status_t psa_export_public_key(psa_key_handle_t handle,
* *
* The policy on the source key must have the usage flag * The policy on the source key must have the usage flag
* #PSA_KEY_USAGE_COPY set. * #PSA_KEY_USAGE_COPY set.
* In addition, some lifetimes also require the source key to have the * This flag is sufficient to permit the copy if the key has the lifetime
* usage flag #PSA_KEY_USAGE_EXPORT, because otherwise the source key * #PSA_KEY_LIFETIME_VOLATILE or #PSA_KEY_LIFETIME_PERSISTENT.
* is locked inside a secure processing environment and cannot be * Some secure elements do not provide a way to copy a key without
* extracted. For keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE or * making it extractable from the secure element. If a key is located
* #PSA_KEY_LIFETIME_PERSISTENT, the usage flag #PSA_KEY_USAGE_COPY * in such a secure element, then the key must have both usage flags
* is sufficient to permit the copy. * #PSA_KEY_USAGE_COPY and #PSA_KEY_USAGE_EXPORT in order to make
* a copy of the key outside the secure element.
* *
* The resulting key may only be used in a way that conforms to * The resulting key may only be used in a way that conforms to
* both the policy of the original key and the policy specified in * both the policy of the original key and the policy specified in

12
include/psa/crypto_values.h
View File

@ -1461,13 +1461,15 @@
/** Whether the key may be copied. /** Whether the key may be copied.
* *
* This flag allows the use of psa_crypto_copy() to make a copy of the key * This flag allows the use of psa_copy_key() to make a copy of the key
* with the same policy or a more restrictive policy. * with the same policy or a more restrictive policy.
* *
* For some lifetimes, copying a key also requires the usage flag * For lifetimes for which the key is located in a secure element which
* #PSA_KEY_USAGE_EXPORT, because otherwise the source key * enforce the non-exportability of keys, copying a key outside the secure
* is locked inside a secure processing environment and cannot be * element also requires the usage flag #PSA_KEY_USAGE_EXPORT.
* extracted. For keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE or * Copying the key inside the secure element is permitted with just
* #PSA_KEY_USAGE_COPY if the secure element supports it.
* For keys with the lifetime #PSA_KEY_LIFETIME_VOLATILE or
* #PSA_KEY_LIFETIME_PERSISTENT, the usage flag #PSA_KEY_USAGE_COPY * #PSA_KEY_LIFETIME_PERSISTENT, the usage flag #PSA_KEY_USAGE_COPY
* is sufficient to permit the copy. * is sufficient to permit the copy.
*/ */